System And Method Of Non-Centralized Zero Knowledge Authentication For A Computer Network

ABSTRACT

Zero-knowledge authentication proves identity without revealing information about a secret that is used to prove that identity. An authentication agent performs authentication of a prover agent without knowledge or transfer of the secret. A non-centralized zero-knowledge authentication system contains multiple authentication agents, for access by multiple computers seeking access on a computer network through local prover agents. Once authenticated, those multiple computers may also implement authentication agents. The secret may periodically expire by publishing a new encrypted secret by a trusted source, thwarting attempts to factor or guess information about the secret.

RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.10/687,320, filed Oct. 16, 2003, which claims priority to U.S.Provisional Application No. 60/418,889, both of which are incorporatedherein by reference.

BACKGROUND

Computer systems intercommunicate via computer networks. For example, afirst computer system frequently communicates with a second computersystem over a computer network to obtain information. The computernetwork may include many different communication media. In one example,the computer network is an Ethernet local area network (“LAN”). Inanother example, the computer network is a wireless LAN. Informationstored on the first computer system is often sensitive such that accessto the information must be restricted. Accordingly, the first computersystem often requires that the second computer system be authenticatedbefore allowing the second computer system to access the information.Access to the computer network may also be restricted, requiring anycomputer system wishing to join the computer network to be authenticatedbefore communicating with other devices on the network.

Authentication typically utilizes an identification protocol thatrequires a computer system to identify itself with authority to access arestricted computer system. In one example, a first computer system mayrequire a “password” from the second computer system to enableauthentication. However, in situations where the communication betweenthe first and second computer systems is monitored by a third computersystem, the password may be obtained by the third computer system,allowing unauthorized access by the third computer system to the firstcomputer system. Identification protocols that provide authenticationwithout transmission of a secret password, known as a ‘key’, aretherefore utilized. A zero-knowledge identification protocol (“ZKIP”) isone example of a protocol that provides authentication withouttransmitting the key, thereby preventing the key from being stolen andmisused.

Typically, in a computer network that uses authentication, there is onlyone authenticator that stores keys used to authenticate requests fromother computer systems. The use of a single authenticator, however, mayresult in access problems when the computer system running theauthenticator fails, or where communications to the authenticator fail,for example. Where the authentication is for important data or services,failure of the authenticator may prevent access to the data or services.Further, the use of a single authenticator also causes congestion withinthe computer network as all authentication traffic is directed to asingle location.

Where a computer network is highly scalable and dynamic it is importantto authenticate each computer system as it attempts to access thecomputer network. A digital mobile telephone network is one example of adynamic computer network. The digital mobile telephone network consistsof multiple base stations that are networked together, each base stationproviding one or more cells for the digital telephone network. Eachmobile telephone handset connects to, and disconnects from, these cellsas the handset changes location. It is therefore important that anyauthentication process used within the cell network be as fast andefficient as possible. Typically, to meet speed requirements for adigital mobile telephone network, the authentication process issimplified, thereby making it less reliable and less secure, making themobile telephone network highly susceptible to snooping by thirdparties.

SUMMARY OF INVENTION

U.S. Pat. No. 4,748,668, titled Method, Apparatus and Article forIdentification and Signature, is incorporated herein by reference.

In one aspect, a method provides non-centralized zero knowledgeauthentication within a dynamic computer network. The dynamic computernetwork includes two or more authentication agents that interact withprover agents within computers wishing to gain access to the computernetwork. Using a zero-knowledge authentication protocol, the prover iseither authenticated, or not, without communication of a secret.

In another aspect, a software product (firmware, for example) isdistributed with a hardware device to provide non-centralizedzero-knowledge authentication. In one example, the hardware device is arouter connected to a network. The router communicates with a proveragent within a mobile computer (e.g., a laptop computer system or amobile telephone handset) that seeks access to the network. Once theprover agent is authenticated and authorized, the router permits themobile computer to access part of or the entire network.

In one aspect, methods are provided for authentication of identity orgroup membership. One such method involves zero-knowledgeauthentication. An authentication dialog between a verifying agent(“verifier”) and an agent to be verified (“prover”) is conducted withoutrevealing information about a secret (“secret”) that is used to proveidentity (or group membership without actually disclosing prover'sidentity). Authentication is achieved when verifier asks prover I-times(I>0) to perform an action that can only be reliably performed by anentity that knows a secret. Prover answers verifier with results ofaction. If prover does not answer correctly, authentication is invalid.This challenge-response-validation iteration is repeated I-times toestablish a sufficient level of probability that prover answered withknowledge of secret. One advantage of zero-knowledge authentication isinability for an eavesdropper to learn secret and steal means to proveidentity to verifier. Another advantage is inability for verifier tolater masquerade as a prover to a third-party.

In another aspect, methods are provided to allow for greater probabilityof correctly authenticating prover with fewerchallenge-response-validation iterations. One such method allows proverto have a set, greater than two, of possible answers, as is provided byFiat-Shamir protocol. For example, a prover that answers verifiercorrectly with a member of set {0, 1, 2, 3} has a 25% chance of beingincorrectly authenticated with one challenge-response-validationiteration. Following Fiat-Shamir protocol, prover will answer verifierwith one of two possible answers {0, 1} and thereby require twochallenge-response-validation iterations to achieve the same level ofauthentication probability.

In another aspect, an authenticator agent require a prover agent torepeat an authentication protocol until a specified confidence levelthat a prover agent is correctly authenticated has been satisfied. Forexample, a confidence level of 99% may require 10 iterations, where aconfidence level of 99.9999% may require 20 iterations.

In another aspect, a method of protecting a host from unauthorizedclient access over a network includes the steps of: creating a proveragent application on the client; creating a verifier agent applicationon the host; and creating a trusted source application to generate andpublish encrypted values of a secret and product of first and secondlarge prime numbers. The encrypted values are read for the secret andproduct, by the provider and verifier from the trusted source. Thesecret is decrypted, by the prover and verifier, and the product isdecrypted, by the prover and verifier. A plurality of verificationdialog is performed between the prover and verifier, wherein the proverdemonstrates knowledge of the secret and product without exposing thevalues of the secret and product. The client is denied access when theprover fails to demonstrate knowledge of the secret and product, andgranted access when the client succeeds in demonstrating knowledge ofthe secret and product.

In another aspect, methods are provided to validate agents withoutunique indicia. One such method allows agents to validate based onindicia that they are within a category of agents who have knowledge ofsecret common to all authentic agents. An advantage of using non-uniqueindicia is elimination of overhead required to generate, maintain, andvalidate unique indicia

In another aspect, methods are provided to publish secret used toauthenticate agents. One such method allows a trusted source toperiodically update and publish the secret and product of two largeprime numbers (“product”). The frequency of updates is less than thepredicted length of time a malicious party could factor product or guesssecret. Trusted source generates, encrypts, and publishes secret andproduct. Prover and verifier read encrypted values for secret andproduct, from trusted source, and use previous values of secret andproduct to decrypt new values for secret and product. Prover andverifier now have all information required to perform authenticationprocesses.

One advantage of using methods described above is elimination of stepsrequired to derive keys to encrypt and decrypt messages.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a flowchart illustrating one process for generating andpublishing secret and product of two large prime numbers;

FIG. 2 shows a method of decrypting secret and product of two largeprime numbers;

FIG. 3 shows a challenge-response-validation iteration process betweenprover and verifier agent; and

FIG. 4 shows a system with three clients, each including a prover agent,and a host computer with a verifier agent.

FIG. 5 illustrates one system for providing non-centralized zeroknowledge authentication within a dynamic computer network.

DETAILED DESCRIPTION OF DRAWINGS

FIG. 1 shows one method 10 for generating and publishing a secret and aproduct of two large prime numbers. Method 10 is, for example,implemented by a ‘trusted’ source as described below. In step 14, aninitial value of secret s is generated from a seed value, and two largeprime numbers (“p” and “q”) are randomly generated. Step 16 calculates acurrent product n′ (n-prime) of the two large prime numbers p and q, andinitializes previous product value n (n-not prime) as equal to n′. Instep 18, p and q are purged and made unreadable. In step 20, currentsecret number s′ (s-prime) is generated to be a value relatively primeto n, greater than 0, and less than n. In step 22, values for encryptedsecret s″ (s-double prime) and encrypted product of two large numbers n″(n-double prime) are generated as: s″=s′s mod n, and n″=n′s mod n. Instep 24, previous secret number s (s-not prime) is set equal to s′ and nis set equal to n′. In step 26, values for n″ and s″ are published. Atthis point, publication process is complete and process 10 waits in step28.

Values for s″ and n″ may become compromised by a malicious party that isable to factor or guess values. Therefore, the delay in step 28terminates before values are likely to be compromised and process 10 isrestarted at step 20 where a new s′ is generated.

FIG. 2 shows one method 30 of decrypting secret s″ and product n″. Instep 34, an agent (e.g., a prover agent or an authentication agent) iscreated with an initial value for s and n. In step 36, the agent readsvalues of s″ and n″ published by the trusted source (e.g., method 10,FIG. 1). In step 38, values of s″ and n″ are decrypted by a modulusinverse operation. In step 40, the size of answer set (“t”) is used todetermine a value (“v”) calculated as result of s′̂t mod n″.

At this point, prover and verifier agents have data required to performauthentication. Because values for s″ and n″ published by trusted sourceperiodically change, updated values for s″ and n″ will be retrieved.Step 42 is a delay based on a specific length of time or may betriggered at the start of an authentication process (e.g., azero-knowledge identification protocol). After the delay in step 42,method 30 continues with step 36 and the agent will again contact thetrusted source and read new values for s″ and n″.

FIG. 3 shows a challenge-response-validation iteration dialog between aprover agent (shown as process 48) and a verifier agent (shown asprocess 50). Process 48 performs processing to establish a need toauthenticate and begins zero-knowledge identification protocol 46 instep 52, which may include retrieving and decrypting current values ofsecret s″ and the product n″. In step 52, process 48 (prover) sends asignal 54 to process 50 (verifier) to begin zero-knowledgeidentification protocol 46. In step 56, process 50 (verifier) performsany initial processing, which may include retrieving and decryptingcurrent values of secret s″ and product n″. in step 56, process 50 sendssignal 58 to process 48 (prover) to begin the authorization process. Instep 60, process 48 (prover) generates a random number (“r”). Randomnumber r is then used, in step 62, to generate a number x such that x=r̂tmod n. In step 62, process 48 sends a signal 64 containing x to process50 (verifier). In step 66, process 50 (verifier) then calculates a replyvalue b as a member of set {0 . . . t−1}. In step 66, process 50 sends asignal 68 containing b to process 48 (prover). In step 70, process 48(prover) uses b to calculate a number y such that y=rŝb. In step 70,process 48 sends a signal 72 containing y to process 50 (verifier). Step74 in process 50 is a decision. In step 74, process 50 performs a testto determine if process 48 (prover) has passed this iteration ofzero-knowledge identification protocol 46. If ŷt mod n=(xv̂b) mod n andy<>0, then process 50 continues with step 78; otherwise process 50continues with step 76. Step 78 in process 50 is a decision. In step 78,the number of challenge-response-verification iterations is compared tothe number of iterations required to establish a suitable probability ofcorrect authentication. If the number of challenge-response-validationiterations performed is the same as the number ofchallenge-response-validation iterations required, and process 48(prover) has not failed any iterations, then process 48 continues withstep 82; otherwise process 50 sends a signal 80 to process 48 tocontinue with step 60, thus beginning anotherchallenge-response-validation iteration by repeating steps 60 through74.

In step 82, process 50 continues with processing appropriate forauthenticated process 48 (prover) and process 50 terminates. In step 76,process 50 (verifier) continues processing as appropriate fornon-authentic agents, and process 50 terminates.

FIG. 4 shows a system 89 with three clients 90(1-3), each running aprover agent 91(1-3), and a host 92 running an authentication agent 96(verifier). Prover agents 91(1-3) implement process 48, FIG. 3, forexample. Authentication agent 96 implements process 50, FIG. 3, forexample. Communication links 100(1-3) establishes connectivity betweenclients 90(1-3) and a connection module 94 within host 92. In system 89,client 90(1) seeks access to secure area 98 of host 92. Communicationlink 100(1) establishes connectivity between client 90(1) and connectionmodule 94 within host 92. In one example, communication link 100(1) is atelephone dial-up connection. In another example, communication link100(2) is an Internet connection. In another example, authenticationagent 96 (verifier) protects secure area 98 allowing access only toauthenticated clients. Communication link 100(3) is an Ethernet LANconnection. After client 90(1) is authenticated by host (92), aconnection 102 is established and client 90(1) is allowed access tosecure area 98. Once this connection has been established,authentication agent 96 may distribute a new secret from trusted source106 to prover agent 90(1) for use in future authentication dialog. Whenprover agent 90(1) requests authentication at a future time afterconnection 110 has been broken, authentication agent 96 requestscredentials from prover agent 90(1) from trusted source 106 via thehosts internal connection 104. At this point the authentication dialogmay take place between client 90(1) and host 92 to reestablish a trustedconnection.

Zero-knowledge identification protocol 46, FIG. 3, is then performed. Ifzero-knowledge identification protocol 46 is successful, an access link108 is activated to secure area 98, and client 90(1) may proceed withfurther processing. If zero-knowledge identification protocol 46 is notsuccessful, processing continues with knowledge that client 90(1) is notauthorized and, at a minimum, client 90(1) is inhibited from access tosecure area 98.

FIG. 5 shows one system 500 that provides non-centralized zero-knowledgeauthentication within a dynamic network. Illustratively, system 500includes two Ethernet LANs 502 and 504 that are not co-located. LAN 502is connected to LAN 504 via a communication apparatus 505 that containsconnection units 506, 508 and a communication link 510. Connection units506 and 508 are, for example, routers or microwave transceivers.Communication link 510 is, for example, an ISDN link, the Internet, or amicrowave link that provides data communication between two remotelocations.

LAN 504 is shown connected to a wireless LAN device 512 that provideswireless connectivity to mobile computers 514 and 516. LAN 504 alsoillustratively connects to computer system 518 that includesauthentication agent 520 (verifier). Before mobile computer 514 connectsto LAN 504, it is first authenticated using zero-knowledgeidentification protocol 46 as shown in FIG. 3. Mobile computer 514includes a prover agent 522 that interacts with authentication agent 520to perform zero-knowledge identification protocol 46. Mobile computer516 includes a prover agent 524 that interacts with authentication agent520 to gain authentication to access LAN 504.

Trusted source 106, FIG. 4, implements process 10, FIG. 1, to generate anew secret s″ and a new product n″ periodically to prevent the maliciousparty compromising the values by guessing or factoring. Thus, oncecomputer system 536 has been authenticated and is connected to LAN 502it receives new values for secret s″ and product n″, using an encryptedmessage based on its current values for secret s″ and product n″. Thus,integrity and security of system 500 is maintained at a high level. Onlyduring initialization of system 500, or when a mobile computer (e.g.,mobile computers 514, 516) connects to wireless LAN interface 512 andrequests authentication, is a predefined secret used.

Computer system 530 illustratively connects to LAN 502 and includesauthentication agent 532 (prover). Computer systems 534 and 536 alsoconnect to LAN 502; computer system 534 includes a prover agent 538 andcomputer system 536 includes a prover agent 540. Prover agent 538interacts with authentication agent 532 to authenticate computer system534 for access to LAN 502. Similarly, prover agent 540 interacts withauthentication agent 532 to authenticate computer system 536 for accessto LAN 502.

Authentication agents 520 and 532 operate independently to authenticatemobile computers 514, 516 and desktop computers 534, 536 for access toLANs 504 and 502, respectively. Optionally, once a computer (e.g.,computers 534, 536 and mobile computers 514 and 516) is authenticatedand remains connected within system 500, it may operate to authenticateother computers (i.e., may operate as an authentication agent). Further,once authenticated and connected within system 500, the computer mayoperate to interact with other computers seeking authentication,enabling communication between the other computers and an authenticationagent.

For example, and with reference to FIG. 5, consider computer 518 and 530existing on the computer network defined by LANs 502, 504 andcommunications link 510 (at boot up to establish the network, computer518, 530 are initialized with the same secret and thus both operate withrespective authentication agents, as shown). When any other computer534, 536, 514, 516 desires access to this computer network, it may do soonly through zero knowledge authentication, such as zero-knowledgeidentification protocol 46 (i.e., the dialog between authenticationagent 520 and prover agent 538, 540, 522, 524, respectively). Onceauthenticated on the network, the computer may be promoted to operatewith an additional authentication agent so as to provide authenticationto other computers desiring access to the network. Accordingly, thenetwork is “dynamic” in that it allows additional, flexibleauthentications to occur and expand the network. To enable thisnon-centralized zero knowledge authentication, authentication software(including authentication and prover agents) may be preloaded into eachcomputer (e.g., computers 514, 516, 518, 530, 534, 536).

In one example, a computer network includes multiple base stations thatoperate to provide a mobile telephone network. Each base stationcontains an authentication agent. Each mobile handset includes a proveragent that connects to the mobile telephone network. Before the mobilehandset is allowed to use any services of the mobile telephone network,the authentication agent in the base station selected by the mobilehandset interacts with the prover agent in the mobile handset. If theauthentication agent is satisfied that the prover knows the secret, itbecomes authenticated and authorized to use the mobile telephonenetwork. By using a ZKIP, the secret is never transmitted to or from themobile handset, and therefore not susceptible to malicious snooping.

1. A method of non-centralized zero-knowledge authentication for acomputer network, comprising steps of: establishing a first computerhaving a first authentication agent and a first prover agent on thecomputer network; detecting a first authentication request over thecomputer network from a second computer having a second prover agent;authenticating the second prover agent through a zero-knowledgeidentification protocol; and promoting the second computer with a secondauthentication agent to perform authentication for the computer network.2. The method of claim 1, further comprising periodically generating anddistributing a new secret to the first and second authentication agents.3. The method of claim 1, further comprising: detecting a secondauthentication request over the computer network from a third computerhaving a third prover agent; authenticating the third prover agentthrough a zero-knowledge identification protocol with the secondauthentication agent; and promoting the third computer with a thirdauthentication agent to perform authentication for the computer network.4. The method of claim 1, further comprising periodically publishingencrypted numbers for the zero-knowledge identification protocol,including the steps of: generating first and second large prime numbers;calculating a product of the first and second large prime numbers;generating a secret to have a value relatively prime to the product,greater than zero and less than the product; encrypting the product;encrypting the secret; and publishing encrypted values of the secret andproduct.
 5. A system of non-centralized zero-knowledge authenticationfor a computer network, comprising: two or more computers establishingthe computer network, each of the computers containing an authenticationagent, secret and prover agent; and a requesting computer having aprover agent, for requesting access to the computer network, wherein theprover agent of the requesting computer and one of the authenticationagents of the two or more computers engaging in a zero-knowledgeauthentication protocol, and wherein the requesting computer operateswith an authentication agent on the computer network when the requestingcomputer is authenticated through the zero-knowledge authenticationprotocol.
 6. The system of claim 5, further comprising a trusted sourcefor periodically generating a new secret for the authentication agentsof computers on the network.
 7. The system of claim 5, the requestingcomputer comprising a cell phone.
 8. The system of claim 7, wherein thecell phone is authenticated without transmitting the secret to or fromthe cell phone.
 9. A software product comprising instructions, stored oncomputer-readable media, wherein the instructions, when executed by acomputer, perform steps for non-centralized zero-knowledgeauthentication for a computer network, comprising: instructions forestablishing a first computer having a first authentication agent and afirst prover agent on the computer network; instructions for detecting afirst authentication request over the computer network from a secondcomputer having a second prover agent; instructions for authenticatingthe second prover agent through a zero-knowledge identificationprotocol; and instructions for promoting the second computer with asecond authentication agent to perform authentication for the computernetwork.